Transcription

1 Test Lab Guide: Creating a Windows Azure AD and Windows Server AD Environment using Azure AD Sync Microsoft Corporation Published: December 2014 Author: Mark Grimes Acknowledgements Special thanks to the following people for reviewing and providing invaluable feedback for this document: Joe Davies, Bill Mathers, Andreas Kjellman Abstract This document will assist IT professionals, administrators, architects, and developers with in creating a test lab that uses Windows Azure Active Directory and Windows Server AD. The onpremises Active Directory identities will be synchronized by using Azure AD Sync.

2 Copyright The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Unless otherwise noted, the example companies, organizations, products, domain names, addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, address, logo, person, place or event is intended or should be inferred Microsoft Corporation. All rights reserved. Microsoft, Active Directory, Windows Azure, Forefront, MSDN, Outlook, SharePoint, SQL Server, Windows, Windows PowerShell, and Windows Server are trademarks of the Microsoft group of companies. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

4 Test Lab Guide: Creating a Windows Azure AD and Windows Server AD Environment using Azure AD Sync Windows Azure AD and Windows Server AD In This Guide Whether you already have Microsoft Azure and an available domain controller, or not, this guide contains instructions for setting up a test lab for Azure AD Sync between Microsoft Azure and Windows Server Active Directory. This Test Lab Guide is partially based on the existing Test Lab Guide: Creating a Windows Azure AD and Windows Server AD Environment. This guide is also a reference article for SMB Common Identities, an article to help small and medium sized business understand all of the common identity scenarios that will enable identity integration with Microsoft Azure and Windows Server Active Directory. Once a common identity is established, then Microsoft Azure, acting as an identity hub, can facilitate seamless sign-on with SaaS applications along with various other capabilities such as mobile scenarios and using Intune. A full copy of this document is available for offline viewing here. NOTE: If your small or medium sized business is going to have only Cloud Identities i.e. you will not maintain servers on-premise and will only use Microsoft Azure Active Directory, then this Test Lab Guide does not have a use case. This Test Lab Guide is ONLY to provide guidance in simplifying synchronization of an on-premise Active Directory Domain Controller with Microsoft Azure Active Directory. Test Lab Overview In this test lab, we move from the original base configuration to using the base configuration that is enabled for cloud related technologies. This means that the machines are no longer isolated from the internet and are able to communicate with cloud services such as Windows Azure. No additional servers or machines are required beyond those that are required for the base configuration outlined in step 1. However this guide does deviate some from that configuration so see the Test Lab Guide Specific Information and Instructions below. The following is an architectural diagram of this test lab guide. 4

5 Test Lab Guide Specific Requirements There are no additional hardware requirements. There is one additional software requirement, which is for the Azure AD Sync tool. There are also few specific things that this test lab will require. The table below provides a list of these requirements. The following table provides a summary of the required items for this test lab guide. Requirement Windows Azure 30-day Trial A Microsoft Account A Mobile Phone that can receive text messages A valid Credit Card Microsoft Azure AD Sync tool Windows Server 2012 R2 installation files Comment Windows Azure Free Trial Microsoft account Required for Windows Azure verification. Required for Windows Azure Free Trial. Microsoft Azure AD Sync tool This includes.net 4.5 which is required by the Azure AD Sync tool. This is installed as a Feature in the Server 2012 R2 Server Manager. 5

6 Steps for Creating a Windows Azure AD and Windows Server AD Environment Test Lab There are eight steps to follow when setting up the Creating a Windows Azure AD and Windows Server AD Environment Test Lab Guide. Step 1: Set Up the Configuring the Windows Server 2012 Base Configuration Test Lab for Public Cloud Technologies - The Base Configuration is the core of all Test Lab Guide scenarios. This test lab guide has been modified so that the base configuration can be used with cloud technologies. Step 2: Sign-up for a Windows Azure 30-Day Trial In this step we sign up for our Windows Azure trial. Step 3: Create a Windows Azure AD Tenant In this step we create our Windows Azure Active Directory tenant. Step 4: Prepare the Windows Azure AD Tenant for Synchronization In this step we configure our tenant so that it can synchronize with our on-premise Active Directory. Step 5: Create Organizational Units and Test Users in Windows Server AD In this step, we create the on-premise AD structure that we are going to synchronize with our Windows Azure AD tenant. Step 6: Download and Install Azure AD Sync In this step we download, install, and do an initial configure of the software that will be used to synchronize our directories. Step 7: Configure Azure AD Sync to specific Organizational Units In this step, we customize the Microsoft Azure AD Synchronization Tool to only synchronize certain users from our on-premise AD. Step 8: Run Azure AD Sync and Verify Results In this step we run the tool and verify the results. Test Lab Guide Specific Information and Instructions The following section is a list of additional information on configuring the test lab. It also includes items that may be omitted from the test lab guides that this test lab builds upon. This is to allow for quicker deployment. The following is a list of general information and instructions This test lab can be setup with just one DC1 either on-premise or within Azure Active Directory. No other machines from the base configuration are required. If you already have an on-premise Domain Controller or else Microsoft Azure and a Domain Controller in Azure Active Directory, then you can skip the relevant sections below. Assuming you have Azure Active Directory setup in your tenant and also a Domain Controller, then you could skip to Step 4 to prepare the Azure AD Tenant for synchronization. 6

7 Step 1: Set Up the Configuring the Windows Server 2012 R2 Base Configuration Test Lab for Hybrid Identities Synchronization Set up the Base Configuration test lab based on the instructions in Windows Server 2012 R2 Test Lab Guide. The TechNet article Configuring the Windows Server 2012 Base Configuration Test Lab for Public Cloud Technologies further describes the overall setup. For the purposes of this Test Lab Guide, the APP1 server will not be used. But it can be built for other Test Lab Guides on TechNet. You ONLY need a DC1 built for this scenario. NOTE: If you already have a Domain Controller setup on-premise, then there is no need to complete this step. OR, if you have a base Windows Server 2012 R2 server in Hyper-V or built in your Azure Portal. This example lab was setup with a Domain Controller running in Hyper-V on a Windows 8.1 Host along with an MSDN subscription to Microsoft Azure. Below are the PowerShell commands that will elevate your Windows Server to a Domain controller quicker than you can click it! PowerShell you Windows Server 2012 R2 VM to make a DC fast! If you already have a base Windows Server 2012 R2 image lying around and can use it for this lab, simply run the following two commands from PowerShell ISE. Install-WindowsFeature AD-Domain-Services -IncludeManagementTools Install-ADDSForest -DomainName contoso.com The command above comes from the Windows Server 2012R2 Test Lab Guide. That document will also have you create a test user as well. Any user accounts necessary to set up Azure AD Synchronization are fully described in the steps below. Step 2: Sign-up for a Windows Azure 30-Day Trial The first thing we are going to do after setting up the Base Configuration for Cloud Technologies is to sign-up for a Windows Azure 30 Free Trial. You will need a Microsoft account, a mobile phone and a credit card to complete this step.* The trial accounts to have account limits so the charge card will not be charged. Unless of course you do not heed the warnings and go over the limits! 7

8 * NOTE: if you have used the same mobile phone to set up other tenants or trials, the mobile verification may fail. This is for security. If that does happen, contact the support on that same page and they will fix this to allow the same mobile number to be reused Signing up for Azure involves the following steps below. Sign-up for a Windows Azure 30-Day Free Trial Use the following procedure to sign-up for a Windows Azure free trial. To Sign-up for a Windows Azure 30-Day Free Trial 1. Open Internet Explorer and navigate to 2. At the very top, click Free Trial. This will go to the free trial page. 3. On the free trial page, click Try it now. You will be asked to sign-in with your Microsoft account. 4. After signing in, you will see the sign-up page. Verify the information in section 1, About you 8

9 5. In section 2, enter your mobile phone number and click Send Text Message. Wait for the message to be sent to your phone. 6. Enter the code that was sent to your phone and click Verify Code. 9

10 7. Next enter your valid credit card information in section 3 as shown below. 8. Read the Windows Azure Agreement, Offer Details, and Privacy Statement then place two checks in the boxes and click Sign Up. This will take you to a screen that provides a summary of your subscription. At the top click Portal. 10

11 9. This will take you to the Windows Azure Portal. You will be presented with the Windows Azure Tour wizard. If you haven t taken the tour before it is short and worth walking through. Otherwise you can close it. 11

12 Step 3: Create a Windows Azure AD Tenant Now that we have a Windows Azure subscription, we are going to create a Windows Azure Active Directory Tenant. This will be the cloud directory that we synchronize our on-premise AD directory with. Create a Windows Azure AD Tenant Use the following procedure to sign-up for a Windows Azure free trial. To Create a Windows Azure AD Tenant 1. If you are not already signed in to the Windows Azure Portal, do this first. 2. In the Windows Azure Portal, on the left, scroll down and click Active Directory. This will take you to the active directory screen in the Windows Azure portal. 4. At the bottom, click New. This will bring up a pop up menu, where you will select Directory on the right-most column. 12

13 5. Click Custom Create. Then fill out the fields below in the Add directory dialog box. For the name, use a unique name that you would like to use for your lab. If the new is not unique, the interface will let you know! The green check mark lets you know when it is unique. 13

14 5. Ensure Create new directory is selected and then enter the Name, Domain Name, and select a country or region from the drop-down. Click the check mark in the lower right hand corner. 6. The directory should now be created and will appear at the top of the active directory page in the Azure Portal. Step 4: Prepare the Windows Azure AD Tenant for Synchronization Now that we have a tenant, we must prepare it in order to synchronize it with our on-premise Active Directory. This step involves the following: Verify your domain Set domain as Primary Create a global administrator account in our Windows Azure AD tenant. Active Windows Azure AD Tenant for Synchronization Verify your domain When you create the Windows Azure AD tenant, a basic domain with <your domain name>.onmicrosoft.com is created. But if you want to use a domain name that is registered and you own, then you can add and use a custom domain. Because we had a custom domain for this demo setup, we chose to use as the domain name in our Windows Azure AD tenant. Therefore, 14

15 the first thing we had to do was verify the domain. If you choose to take the same approach, then use the following steps to verify your domain. NOTE: This is NOT required to do this lab. Although in our example, we did purchase a domain name and set it up. If you have or do purchase a Domain Name at a Registrar, the detailed steps are included at Verify a domain at any domain name registrar on MSDN. The example steps used in the validation of this lab are outlined below. Once your new domain name is verified, then further bellow you will set it to be the primary domain name to be used. To verify your domain 1. If you are not already signed in to the Windows Azure Portal, do this first. 2. In the Windows Azure Portal, on the left, scroll down and click Active Directory. This will take you to the active directory screen in the Windows Azure portal. 3. On the right, click on our newly created tenant. This will bring up <Your Directory> directory screen. 4. At the top, click on Domains, this will bring up the domains screen. 5. At the bottom of the Domains page, click Add. This will bring up the add domain wizard. 6. Enter your registered <domain name> in the box and click add. Important Do not place a check in the single sign-on box. This TLG does not demonstrate single sign-on. 7. You should see a notice that the domain was successfully added. Click the right arrow. This will bring up a Verify the domain screen. 8. Windows Azure AD uses a DNS record that you create at your domain name registrar to confirm that you own the domain. At this point, you need to add the value in the Destination or Points to Address to a DNS record at your domain name registrar. For example, if you use godaddy.com you would sign in there and add the DNS record to your domain. Use the steps outlined here to assist with this. 15

16 9. This may take a little while but once it is verified you will see the status change to verified. Set domain as Primary Now that the domain has been verified, we need to set the domain as our primary domain. Use the following procedure to set our verified domain to the primary domain. To set domain as primary 1. If you are not already signed in to the Windows Azure Portal, do this first. 2. In the Windows Azure Portal, on the left, scroll down and click Active Directory. This will take you to the active directory screen in the Windows Azure portal. 3. On the right, click on your newly created tenant above the Default Directory. This will bring up your new directory s screen. 16

17 4. At the top, click on Domains, this will bring up the domains screen. 5. At the bottom of the screen, click Change Primary. This will bring up a change primary screen. 6. Make sure that your domain is selected under the New Primary Domain heading and click the check mark. 7. Your domain should now be set as the primary domain. Create a global administrator account in our Windows Azure AD tenant. In order to synchronize with Windows Azure AD, the directory synchronization utility (Azure AD Sync) needs to know of an account with administrative privileges so that it can create, delete, and update users and groups. Use the following procedure to create a global administrator account in our new tenant. To Create a Windows Azure AD global administrator 1. If you are not already signed in to the Windows Azure Portal, do this first. 2. In the Windows Azure Portal, on the left, scroll down and click Active Directory. This will take you to the active directory screen in the Windows Azure portal. 3. On the right, click on our newly created tenant. This will bring up your directory screen. 17

18 4. At the top, click on Users, this will bring up the users screen. There should be only one account in here, the Microsoft account you used to sign-up for your Azure subscription. 5. At the bottom, click Add User. This will bring up the add user wizard. 6. Enter a user name for the user and then click the arrow in the lower right. 7. Enter the first name, last name, display name, and select Global Administrator from the drop-down. Click the right arrow. 18

19 8. Click the create button to create the user and get a temporary password. 19

20 9. This will create the account and assign it a temporary password. Use the icon next to the temporary password to copy it to the clipboard. 20

21 10. This will bring up a pop-up asking whether or not to allow Internet Explorer access to the clipboard. Click allow access. Click the check mark. 11. Now, in the portal, at the top, click the user account you are logged in as and select sign out from the drop-down. 21

22 12. This will sign you out and you will see a screen that says you have been signed out. Click Sign In Using Your Organizational Account. 13. Now sign-in to the portal with the newly created administrator account using the password we copied to the clipboard. The Organizational Account consists of your user name, symbol, and the primary domain name for your tenant. Example: 22

23 14. Once signed in, you will be prompted to change your password. Go ahead and set the password to one of your choosing. This password will be required again when we setup the Azure AD Sync tool so don t forget it! Click submit. 23

24 15. Windows Azure will now attempt to log you on. You will see a screen that says you do not have a Windows Azure subscription associated with this account. This is correct as our subscription is associated with our Microsoft account. At this point, just close Internet Explorer because the password has been changed. 24

25 Activate Windows Azure AD Tenant for Synchronization Finally, we need to flip the switch that allows us to synchronize with this directory in Windows Azure. Use the following procedure to activate this Windows Azure AD tenant. To Active Windows Azure AD Tenant for Synchronization 1. Sign back in to the Windows Azure Portal with the original account you first started with. 2. In the Windows Azure Portal, on the left, scroll down and click Active Directory. This will take you to the active directory screen in the Windows Azure portal. 3. On the right, click on your new tenant. This will bring up your directory screen. 4. At the top, click on Directory Integration, this will bring up the directory integration screen. 5. In the middle of the screen, next to Directory Sync, change Deactivated to Activated. At the bottom, click Save at the bottom. 25

26 Step 5: Create Organizational Units and Test Users in Windows Server AD Now that we have Windows Azure AD set up, we need to create the Organizational Unit structure in our on-premise AD environment and populate the OU s with a couple of users. This step consists of the following. Create Organizational Units Create Test Users Create Organizational Units Use the following procedure to create the organizational units. To create the Organizational Units 26

27 1. On DC1 (Or whatever DC you are using), open Active Directory Users and Computers 2. Right-click on smbaadsync.com (or the name of your forest) and select New and then select Organizational Unit. 3. In the name box, enter AADSYNC_USERS and click Ok. 4. Right-click on AADSYNC_USERS and select New and then select Organizational Unit. 5. In the name box, enter Engineering and click Ok. 6. Right-click on AADSYNC_USERS and select New and then select Organizational Unit. 7. In the name box, enter Sales and click Ok. 8. The OU structure should now look like this Create Test Users Now we will create one user in each of the new OUs that we created. One in Engineering and one in Sales. Use the following procedure to create the Users. To create test users 1. Right-click on Engineering and select New and then select User. 2. Enter the following and then click Next. First Name: Britta Last Name: Simon Full Name Britta Simon User logon name: bsimon 3. Enter a password for the user, remove the check from User must change password at next logon and place a check in Password never expires. 4. Click Finish. 5. Right-click on Sales and select New and then select User. 6. Enter the following and then click Next. First Name: Lola Last Name: Jacobson Full Name Lola Jacobson User logon name: ljacobson 7. Enter a password for the user, remove the check from User must change password at next logon and place a check in Password never expires. 8. Click Finish. 27

28 Step 6: Download and Install Azure AD Sync Now that we have prepared Microsoft Azure AD and created our test OU structure and populated it with users, we can download and install the Azure AD Sync tool. The following section consists of the following: Download and Install the Microsoft Azure AD Synchronization Tool Configure the Microsoft Azure AD Sync Tool System Requirements You need an account with local administrator privileges on your computer to install AADSync. Additionally, an Azure Account needs to be created in your AAD Tenant that has the Global Administrator Role selected. AADSync requires a SQL Server database to store identity data. By default a SQL Express LocalDB (a light version of SQL Server Express) is installed and the service account for the service is created on the local machine. These are both the minimum and the supported Operating Systems: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2. SQL Server Express has a 10GB size limit that enables you to manage approximately objects. If you need to manager a higher volume of directory objects, you need to point the installation process to a different version of SQL Server. Download and Install the Microsoft Azure AD Synchronization Tool Now we will download and install the Microsoft Azure AD Synchronization Tool, also known as Azure AD Sync tool. You will install this in your Domain Controller. Use the following procedure to download and install Azure AD Sync. 28

29 1. You can download the Azure AD Sync tool from Microsoft Azure AD Sync tool 64 bit. 2. Once the download is complete, navigate to the file that was downloaded and doubleclick on Azure AD Sync.exe. You may get a security warning asking if you want to run this file. Click Run. 3. On the Welcome screen, click Next. 4. On the License Terms screen, review the terms, click the I agree to the license terms check box, and then click Install in the lower right of the window. 5. It will now start installing the components. This may take a few minutes. 6. In the Connect to Azure AD window, enter the Username and Password for your Global Administrator account, and then click Next. 29

30 7. If the step above fails, exit the dialog box. Click the start menu and type DirectorySyncTool. You will see the requirement as noted below 8. Now log off of DC1 and log back on. The reason for this is that the account you installed the Azure AD Sync tool with was added to newly created security groups and we want to refresh your security token. Warning This step is only required when installing the Azure AD Sync tool on a domain controller. If it is installed on a member server, you do not have to log off and then back on prior to running the configuration wizard. 30

31 Configure the Microsoft Azure Active Directory Sync Tool Now, log back on to DC1 and we will begin with the initial configuration of the Azure AD Sync tool. This will be a simple configuration and the next step will walk us through the advanced configuration of scoping our OUs. Use the following procedure to run the Azure AD Sync Configuration Wizard. To configure the Microsoft Azure AD Sync Tool 1. On your Domain Controller, click the Windows Icon in the lower left corner, this will take you to the Start screen. 2. On the Start Screen, type Dir to find the DirectorySyncTool and Select it 3. On the Azure AD Credentials screen, enter the username and password of the global administrator account you created for your tenant. Click Next. 31

33 5. On the User Matching window below, most SMB organizations will just click Next. If other options need to be considered, see the article Matching across forests for more information on the options shown below. The sourceanchor attribute is an attribute which is not changing during the lifetime of a user object. In single-forest and environments and where the account is never moved between forests, then objectguid is a good candidate. If the user is moved between forests or domains, then an alternative attribute must be selected. The userprincipalname attribute is the user s login ID in Azure AD. By default the userprincipalname attribute in ADDS is used. If this attribute is not routable or not suitable as the login ID a different attribute, such as mail, can be selected during the install. 33

34 8. On the Optional Features windows, leave the defaults and click Next. Note the little blue information icons which will also go to that specific page to learn more 34

35 9. This will begin the Configuration. Once the configuration is complete, click Next. 10. On the Finished screen, deselect the check mark out of Synchronize now and click Finish. 35

36 Step 7: Configure Azure AD Sync to specific Organizational Units Now that we have installed and initially configured Azure AD Sync, we are going to do some advanced configuration so as to only synchronize certain OUs and not our entire on-premise Active Directory. This section consists of the following: Create a service account to run the Active Directory Connector Configure Azure AD Sync to Specific Organizational Units Create a service account to run the Active Directory Connector The account used by the Active Directory Connecter is created by the Azure AD Sync tool during configuration. If we want to synchronize everything in our directory we can use this account, however because we want to scope this to only specific OUs, we need to create an account to run the Active Directory Connector. Some of you may ask why we can t just change the password of the account that was created by Azure AD Sync. The reason is this can because issues with the automatic synchronizations and this is an unsupported configuration. For purposes of this test lab, we will make the service account a member of domain admins. For information on restricting the connector with the least amount of privileges required, see the Forefront Identity Manager documentation. Use the procedure to create a service account. To create a service account 1. In Active Directory Users and Computers, right-click on the Users OU and select New and then select User. 2. Enter the following and then click Next. First Name: AD Connector Last Name: Account Full Name AD Connector Account User logon name: adconn 3. Enter a password for the user, remove the check from User must change password at next logon and place a check in Password never expires. 4. Click Finish. 5. In the users OU, right-click on the new AD Connector Account and select properties. 36

37 6. In the properties, at the top, click Member Of and click Add. 7. In the Select Groups box, enter domain admins and click Check Names. This will resolve with an underline. Click Ok. 8. Click Apply. Click Ok. Close Active Directory Users and Computers. Configure Azure AD Sync to Specific Organizational Units Use the following procedure below to configure Azure AD Sync to only synchronize specific organizational units of your on-premise AD. To configure Azure AD Sync to specific organizational units 1. Navigate to C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Azure AD Sync and double-click miisclient.exe. Shortcut Tip: click the Start menu and type miisclient, then select it. 2. In the Synchronization Service Manager tool, first click the Connectors button beneath the menu, and then double-click on the Active Directory Domain Servers Connector to bring up the Active Directory Connector properties again. 3. On the left, click Configure Directory Partitions. This will bring up the Configure Directory Partitions section. 4. Click the Containers button. You will be prompted for the Password for the User Name account. Remove this account and add the information for the new account we just created. 37

38 5. Now the containers screen will come up. The easiest way to configure this is to deselect the check box from the root of the tree. In this example below, DC=contoso,DC=com. This will remove all of the checks. Now place a check mark in just the AADSYNC_USERS container. This will check that container and all child containers. In our case, this includes the Engineering and Sales containers. 6. Click OK. Click OK again. The Active Directory Connector properties should have closed and we have successfully set the scope. In the next section we will run synchs and verify our results. 38

39 7. Since we deselected Synchronize now at the end of the Azure AD Sync tool, it created a disabled task in Task Schedule. You will need to enable this for synchronization to occur. From the Start menu, start typing Task Scheduler until it appears in the menu and then select it. 8. Click on Tasks Scheduler Library on the left window, and then right click on Azure AD Sync Scheduler in the middle pane and select Enable. 9. From the Actions pane on the right, select Run to force a synchronization so that the results will appear below. After that, the synchronization will repeat every 3 hours. Step 8: Run Azure AD Sync and Verify Results Now it is time to verify the results are synchronized to Microsoft Azure AD. However this may take up to 3 hours. This is the automatic synchronization interval for the Azure AD Sync tool. Although the ability to run the connectors manually is available in the UI, this is not supported as this will interfere with the automatic schedule. This section consists of the following: Verify the User has been synchronized Verify the password has been synchronized. 39

40 Verify the User has been synchronized Now we will verify that the users have been synchronized. Use the following procedure to verify the user has been synchronized. To verify the User has been synchronized 1. Open Internet Explorer and navigate to and log in with your Microsoft account. 2. In the Microsoft Azure Portal, on the left, scroll down and click Active Directory. This will take you to the active directory screen in the Microsoft Azure portal. 3. On the right, click on your domain. This will bring up your directory screen. 4. At the top of the window, click on Users, this will bring up the users screen. You should see our two new users. Verify the password has been synchronized. Now we will verify that the password has been synchronized. To do this we will log on to with Lola Jacobson s account. This will show her the applications that she has access to and she will also be able to view attributes associated with her account. This site uses cloud authentication against your instance of Microsoft Azure AD. To verify the password has been synchronized. 1. Sign out of Windows Azure and close any open browsers. Then re-open Internet Explorer and navigate to 40

41 2. Log in as Lola your domain. You should see the applications screen similar to the one below. 41

42 3. Now, at the top, click profile. You should see the attributes and have the ability to change your password. Warning The attributes actually will say N/A since we did not configure any of these. 42

43 4. You can now close Internet Explorer. Summary This ends the Test Lab Guide: Setting up Azure Active Directory and Azure AD Sync. We have successfully synchronized our on-premise Active Directory with Windows Azure AD using Azure Active Directory Sync. This test lab guide will be used as the basis for additional test lab guides in the future that take advantage of using a Hybrid environment. 43

Windows Azure Pack Installation and Initial Configuration Windows Server 2012 R2 Hands-on lab In this lab, you will learn how to install and configure the components of the Windows Azure Pack. To complete

Introduction to Cloud-Based Mobile Device Management with Intune Information in this document, including URLs and other Internet Web site references, is subject to change without notice. Unless otherwise

CENTRIFY DEPLOYMENT GUIDE Google Apps Deployment Guide Abstract Centrify provides mobile device management and single sign-on services that you can trust and count on as a critical component of your corporate

Introduction to Unified Device Management with Intune and System Center Configuration Manager Most IT pros and the IT organizations they work for have the challenge of supporting a wide diversity of apps,

Introduction to Hyper-V High- Availability with Failover Clustering Lab Guide This lab is for anyone who wants to learn about Windows Server 2012 R2 Failover Clustering, focusing on configuration for Hyper-V

Introduction to DirectAccess in Windows Server 2012 Windows Server 2012 Hands-on lab In this lab, you will configure a Windows 8 workgroup client to access the corporate network using DirectAccess technology,

Installation of Windows Small Business Server 2008 Lab Manual Information in this document is subject to change without notice. The example companies, organizations, products, people, and events depicted

Overview of Microsoft Office 365 Development Office 365 Hands-on lab In this lab, you will work with existing Office 365 apps. This document is provided for informational purposes only and Microsoft makes

Working with Clients in Windows Small Business Server 2008 Lab Manual Information in this document is subject to change without notice. The example companies, organizations, products, people, and events

Dell One Identity Cloud Access Manager 8.0.1 - How to Configure Microsoft Office 365 May 2015 This guide describes how to configure Microsoft Office 365 for use with Dell One Identity Cloud Access Manager

How to Secure a Groove Manager Web Site Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the companies, organizations,

AUTOMATED DISASTER RECOVERY SOLUTION USING AZURE SITE RECOVERY FOR FILE SHARES HOSTED ON STORSIMPLE Copyright This document is provided "as-is." Information and views expressed in this document, including

SyAM Management Utilities and Non-Admin Domain Users Some features of SyAM Management Utilities, including Client Deployment and Third Party Software Deployment, require authentication credentials with

Version 3.8 Installation Guide Copyright 2007 Jetro Platforms, Ltd. All rights reserved. This document is being furnished by Jetro Platforms for information purposes only to licensed users of the Jetro

Microsoft Dynamics AX Workflow approval via email White Paper This document highlights the functionality in Microsoft Dynamics AX 2012 R2 that allows workflow to be configured so that a user can take approval

Redeploying Microsoft CRM 3.0 2005 Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies,

Deploying System Center 2012 R2 Configuration Manager This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.

Lab 1: Windows Azure Virtual Machines Overview In this hands-on Lab, you will learn how to deploy a simple web page to a Web server hosted in Windows Azure and configure load balancing. Objectives In this

Implementing and Supporting Windows Intune Lab 5: Using Windows Intune Remote Assistance Lab Manual Information in this document, including URL and other Internet Web site references, is subject to change

Managing Linux Servers with System Center 2012 R2 System Center 2012 R2 Hands-on lab In this lab, you will use System Center 2012 R2 Operations Manager and System Center 2012 R2 Configuration Manager to

Bill Fiddes Learning and Development Specialist Rob Latino Program Manager in Office 365 Support Learning & Development Specialist Customer Support Services Been with Microsoft for 7 years Professionally

Dell Enterprise Reporter 2.5 2014 Dell Inc. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license

Implementing and Supporting Windows Intune Lab 2: Installing the Windows Intune Client Lab Manual Information in this document, including URL and other Internet Web site references, is subject to change

Dell One Identity Cloud Access Manager 7.0.2 2014 Dell Inc. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished under

Kaspersky Lab Mobile Device Management Deployment Guide Introduction With the release of Kaspersky Security Center 10.0 a new functionality has been implemented which allows centralized management of mobile

Administering Group Policy with Group Policy Management Console By Jim Lundy Microsoft Corporation Published: April 2003 Abstract In conjunction with Windows Server 2003, Microsoft has released a new Group